Claude Code <=1.0.3 – Bypass Confirmation Prompts via Overly Broad Allowlist
CVE-2025-55284 Published on August 16, 2025
Claude Code's Permissive Default Allowlist Enables Unauthorized File Read and Network Exfiltration in Claude Code
Claude Code is an agentic coding tool. Prior to version 1.0.4, it's possible to bypass the Claude Code confirmation prompts to read a file and then send file contents over the network without user confirmation due to an overly broad allowlist of safe commands. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. Users on standard Claude Code auto-update received this fix automatically after release. Current users of Claude Code are unaffected, as versions prior to 1.0.24 are deprecated and have been forced to update.
Weakness Type
What is a Shell injection Vulnerability?
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVE-2025-55284 has been classified to as a Shell injection vulnerability or weakness.
Products Associated with CVE-2025-55284
Want to know whenever a new CVE is published for Anthropic Claude Code? stack.watch will email you.
Affected Versions
anthropics claude-code Version < 1.0.4 is affected by CVE-2025-55284Vulnerable Packages
The following package name and versions may be associated with CVE-2025-55284
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| npm | @anthropic-ai/claude-code | < 1.0.4 | 1.0.4 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.